Subject: RISKS DIGEST 18.17 RISKS-LIST: Risks-Forum Digest Tuesday 4 June 1996 Volume 18 : Issue 17 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** Contents: MARTA train jumps track (Stephen Cohoon) Taipei subway computer crash (Calton) New book by Peter Wayner on crypto and steganography (hide and seek) (PGN) Report Opposes Administration's Cryptography Plans (Edupage) New form of harassment; third-party paging (Joe Smith) Cyber-terrorists blackmail banks and financial institutions (The Dodger) "Secret lie-detector test from a distance" (Daniel P. B. Smith) MIME bites equations (Geoff Kuenning) Loopy Mail (Kevin Rainier) Risks of insufficient concept design (Andrew Pam) Election "Glitch" in Capetown (David Kennedy) Roundoff error on Detroit Edison bills (Jim Rees) ABRIDGED info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 3 Jun 1996 11:02:23 -0400 (EDT) From: cohoon@snt.bellsouth.com (Stephen Cohoon) Subject: MARTA train jumps track On Saturday, June 1, 1996, a commuter train operated by the Metro Atlanta Regional Transit Authority (MARTA) had one car leave the track causing injuries to 19 people and much embarrassment for the "Official Spectator Transportation System" for the Olympic games. According to local TV news and newspaper reports, the train had stopped before a red signal apparently on automatic control. The operator called dispatch requesting permission to go to manual. Permission was granted and the operator proceeded *through the red signal* setting off alarms. The train was stopped and put into reverse. As one of the middle cars passed over a crossover switch some or all of its wheels were lifted and displaced. The train stopped very suddenly tossing the operator and 18 passengers from their seats. MARTA does not consider this a derailment because no cars fell on their sides. A MARTA person interviewed on camera said there is no time that any train on manual or automatic should pass a red signal. The operator, the supervisor on duty and the dispatcher have been suspended pending a review. Personal opinion: this is a familiar scenario often repeated in RISKS but apparently not yet learned by those responsible for critical safety systems. Operator training and supervision must exceed the the capacity of a system to cause harm to people. Manual overrides must be designed to increase safety not allow safety systems to be subverted. In 47 days over a million people will come to Atlanta. There is no way MARTA can repair the public relations damage caused by this incident in that time. I ride the line on which this happened every day. In the 4 years I have been here I have found MARTA to be a safe and reliable system compared to the alternative of driving through the daily carnage of the freeways. I will continue to use MARTA even though this incident has been a disappointment to me. Perhaps this will cause heightened vigilance and improved supervision which may help prevent a larger disaster while every news reporting organization in the world is in town. Stephen M. Cohoon BellSouth Telecommunications 675 W. Peachtree St. NE Room 41G70 Atlanta, GA 30375 cohoon@snt.bellsouth.com (404)332-2275 [You wouldn't want to be a MARTA to the cause-way! PGN] ------------------------------ Date: Tue, 4 Jun 1996 19:13:28 -0700 From: calton@cse.ogi.edu Subject: Taipei subway computer crash Taipei's only subway line service was completely disrupted on Monday morning, 3 June 1996, due to the simultaneous shutdown of both the main computer and the backup system. The control center ordered an emergency shutdown of the entire system, which did not cause any train accidents or casualties. The subway company reported that at 9:27am on that morning, the main control computer suddenly printed out 14 pages of extraneous program code. Eight minutes later, both the main control computer and the backup system went down. Maintenance engineers, with the help of a Matra engineer (the company that supplied the control software), were unable to reboot either system. Digital engineers (the company that supplied the hardware) arrived shortly and discovered that one of the rebooting programs was missing. They reloaded the rebooting program from backup media and the subway line/system returned to normal functions after four hours and thirty-four minutes. The situation is complicated by the recent breakdown in contract negotiations between the subway company and Matra for maintenance. Matra has taken back most of its maintenance personnel, but the subway company has not fully acquired the capability for maintaining the entire system, including the computing system, particularly the proprietary control software written by Matra. The subway company presumes the incident to be sabotage and has asked the police authorities to investigate. The police computer experts have declared that it is difficult to investigate the control software consisting of more than ten millions lines of code. Furthermore, the police have not ruled out the other possibilities such as operator error and software design error. In the public opinion section of the same newspaper, several readers discussed the risks involved in this kind of incident. The section title was "The important question is: who should be responsible for computer security", subtitle "who sabotaged the computer is secondary." (Source: digest/translation of news from United Daily News, Taipei, 5 June 1996.) [5 June? Oh, yes, remember the International Date Line. But if you indulge in international dates in Taipei, be prepared for Matra-mony. And note that MARTA and Matra are anagrams. They seemed to belong together. PGN] ------------------------------ Date: Mon, 3 Jun 96 16:42:10 PDT From: "Peter G. Neumann" Subject: New book by Peter Wayner on crypto and steganography (hide and seek) Cryptography is certainly not the only way to hide information, and in some cases perhaps not even the best way. For a delightful easy-to-read book on a range of related topics with particular attention to steganography (for example, hiding information so that it perfectly naturally looks like something else, such as making your encrypted PGP message look like a .gif file of the Mona Lisa), consider Peter Wayner's new book. It is a gold mine full of fascinating nuggets, and they all seem to fit together into a brand-new golden oldie. Peter Wayner, Disappearing Cryptography: Being and Nothingness on the Net, AP Professional (Academic Press), Chestnut Hill, Massachusetts, 1996. ------------------------------ Date: Sun, 2 Jun 1996 15:19:35 -0400 (EDT) From: Edupage Editors Subject: Report Opposes Administration's Cryptography Plans Rejecting Clinton Administration arguments that law enforcement efforts would be hampered by cryptography technology now based on a "key escrow" system allowing the government to decode any electronic communications after obtaining a court order, a report prepared for the National Research Council of the National Academy of Sciences says that unbreakable cryptography would actually help prevent crime by preventing criminals from intercepting legitimate business transactions. The report recommends dropping steep export controls currently placed by the government on products using the 56-bit key Data Encryption Standard, which offers significantly greater communications security than the 40-bit-key code that may be freely exported. (*The New York Times*, 31 May 1996, p. C1; Edupage 2 June 1996) [The executive summary of the report can be found at http://www2.nas.edu/cstbweb . PGN] ------------------------------ Date: 1 Jun 1996 18:14:36 -0700 From: inwap@best.com (Smith and O'Halloran) Subject: New form of harassment; third-party paging Summary: Tricking pager owners to do the harassment for you While trying to catch some Zs, my pager went off twice in quick succession. The number was one I did not recognize, XXX-XXXX-911. I called the number and a limousine service answered. Turns out that some guy had been harassing the women there over the phone, and now he has gotten innocent bystanders to help him unwittingly. Apparently this guy obtained a list of pager numbers (or found an exchange that is densely populated with pager numbers) and is sending the limousine company's phone number out. The police are involved, but are having a difficult time tracking down the culprit. They believe he is using one or more pirated cellular telephones. Joe INWAP.COM is Joe and Sally Smith, John and Chris O'Halloran (and our cats). ------------------------------ Date: Sun, 2 Jun 1996 14:52:03 +0100 (BST) From: The Dodger Subject: Cyber-terrorists blackmail banks and financial institutions The following article appeared on the front page of the *Sunday Times* (a British newspaper) on Sunday, 2 June 1996, under the banner headline 'City surrenders to 400m-pound gangs': City of London financial institutions have paid huge sums to international gangs of sophisticated "cyber terrorists" who have amassed up to £400m worldwide by threatening to wipe out computer systems. Banks, broking firms and investment houses in America have also secretly paid ransoms to prevent costly computer meltdown and a collapse in confidence among their customers, according to sources in Whitehall and Washington. An Insight investigation has established that British and American agencies are examining more than 40 "attacks" on financial institutions in New York, London and other European banking centres since 1993. Victims have paid up to £13m a time after the blackmailers demonstrated their ability to bring trading to a halt using advanced "information warfare" techniques learnt from the military. According to the American National Security Agency (NSA), they have penetrated computer systems using "logic bombs" (coded devices that can be remotely detonated) electromagnetic pulses and "high emission radio frequency guns", which blow a devastating electronic "wind" through a computer system. They have also left encrypted threats at the highest security levels, reading: "Now do you believe we can destroy your computers?" The authorities have been unable to stem the attacks, which are thought to originate from the United States. In most cases, victim banks have failed to notify the police. "They have given in to blackmail rather than risk a collapse in confidence in their security systems," said a security director at one blue-chip merchant bank in the City. A senior detective in the City of London police said: "We are aware of the extortion methods, but the banking community has ways of dealing with it and rarely reports to the police." European and American police forces have set up special units to tackle the cyber criminals who, Ministry of Defence sources believe, have netted between £200m and £400m globally over the past three years. But law enforcement agencies complain that senior financiers have closed ranks and are hindering inquiries. Experts in information warfare met in Brussels last month to discuss defensive measures. Representatives included Captain Patrick Tyrrell, assistant director of computer information strategy at the Ministry of Defence; General James McCarthy, professor of national security at the US Air Force Academy, General Jean Pichot-Duclos, director of the economic intelligence department of the French Defence Council, and senior figures from the civilian computer industries. A separate closed meeting involving representatives from Whitehall and the intelligence community was held to analyse the 40 attacks on British and American financial centres since 1993. A further secret seminar took place in Washington this weekend. Kroll Associates, the international investigating firm, confirmed last week that it had acted for financial institutions that have been blackmailed. "One of the problems we face is that the potential embarrassment from loss of face is very serious," said a spokesman in New York. Kroll had evidence that firms in London and New York had been targeted. "The problem for law enforcement is that the crime is carried out globally, but law enforcement stops at the frontier," he said. Yesterday a Bank of England spokesman acknowledged the threat from extortionists: "We are aware of this. It does exist. It is extortion and fraud." But the spokesman also insisted: "It is not the biggest issue in the banking market." Scotland Yard is now taking part in a Europe-wide initiative to catch the cyber criminals and has appointed a senior detective from it's computer crime unit to take part in an operation codenamed Lathe Gambit. Such is the secrecy that few details about the inquiry have emerged. In America, the FBI has set up three separate units to investigate computer extortion. The NSA believes there are four cyber gangs and has evidence that at least one is based in Russia. The agency is now examining four examples of blackmail said to have occurred in London: o January 6, 1993: Trading halted at a broking house after blackmail threat and computer crash. Ransom of #10m paid to account in Zurich. o January 14, 1993: a blue-chip bank paid #12.5m after blackmail threats. o January 29, 1993: a broking house paid #10m in ransom after similar threats. o March 17, 1995: a defence firm paid #10m in ransom. In all four incidents, the gangs made threats to senior directors and demonstrated that they had the capacity to crash a computer system. Each victim conceded the blackmailer's demands within hours and transferred the money to off-shore numbered accounts, from which it was removed by the gangs within minutes. The techniques have varied. In London, criminals posing as marketing firms have gained detailed knowledge of a target's system by interviewing the heads of information technology departments. In some cases, they have even issued questionnaires to unsuspecting officials. Armed with this information, they have been able to breach security and leave encrypted messages warning of their capability. The gangs are believed to have gained expertise in information warfare techniques from the American military which is developing "weapons" that can disable or destroy computer hardware. Some are also known to have infiltrated banks simply by placing saboteurs on their payroll as temporary staff. Little is yet known about the identities of the gangs, but, according to the NSA, America is the main source of the attacks. It believes that at least one other group originates from Russia and has followed the movement of money to the former Soviet States. A spokesman for the Metropolitan police said: "There is potential for extortion from those purporting to know how to damage computer systems. "The computer crime unit liaises where necessary with it's Euro counterparts to discuss cross-frontier crimes." One merchant bank director said yesterday: "You will never get a financial institution to admit it has an extortion policy, let alone that it has paid money to blackmailers." Personally, I view this story with marked scepticism. I have no doubt that it is true to a certain extent, but the idea of banks forking out ten million pounds (circa $14m) to a blackmailer is one I find slightly unrealistic. In any case, I'm sure we'll hear more about this story in the future. The Dodger dodger@spodbox.linux.org.uk http://spodbox.linux.org.uk/~dodger/ ------------------------------ Date: Tue, 4 Jun 1996 11:01:12 -0400 (EDT) From: "Daniel P. B. Smith" Subject: "Secret lie-detector test from a distance" *Computerworld*, 3 June 1996, p. 4, "Patent Watch" says that patent 5,507,291 covers "a system for remote analysis of a person's emotional or metabolic state, such as performing a secret lie-detector test from a distance. Energy waves are reflected off the object to determine blood pressure, pulse rate, pupil size, respiration rate, and perspiration level. A computer compares the readings with normal levels." And HAL could only read lips! Daniel P. B. Smith dpbsmith@world.std.com ------------------------------ Date: Wed, 29 May 1996 12:57:36 -0700 From: Geoff Kuenning Subject: MIME bites equations A few days ago, a subscriber to Yacht-L (a sailing-related mailing list) decided to post a few useful equations to the list. Some of the equations involved time/speed/distance conversions, with distance represented by "D". Unfortunately, he used a MIME-enabled mailer to do the posting, and MIME decided that the nasty old "equals" sign was a sufficiently weird character that had best be encoded in hex. It happens that the proper hex is "3d", but MIME likes upper-case -- and to make matters really bad, it introduces the hex code with an equals sign. So the equation: S = D / T became: S =3D D / T to the great confusion of many list subscribers, who couldn't understand why you would want to square and triple the distance in such a simple equation. The RISK? When inventing a standard, one should consider the impact on non-conforming systems. Geoff Kuenning g.kuenning@ieee.org geoff@ITcorp.com http://ficus-www.cs.ucla.edu/ficus-members/geoff/ [We have been around this basic problem before in RISKS on several occasions, but the problem keeps biting me in attempting to moderate RISKS, so I am not surprised to find new instances. PGN] ------------------------------ Date: 4 Jun 96 14:20:39 EDT From: Kevin Rainier Subject: Loopy Mail It all started innocently enough. Last night somebody sent a message to the recreational mailing list "virtua-fighter@netcom.com". This is an infrequently used mailing list for the discussion of the Virtua Fighter family of SEGA arcade games. Since the last time somebody had used the list a Microsoft employee left the company -- perhaps he died -- and the mail address is no longer valid. Microsoft is a helpful company and informed the list (automatically, of course) that the address is not valid. Netcom is a helpful list server and sent the message to all recipients of the list, including the late, lamented employee of Microsoft. And so it continued. And continued. It's now morning. I'm receiving a message every two or so minutes, the subject line has maxed out with "Undeliverable: Undeliverable: ...". Members of the list have just begun arriving at their desks and discovering over 150 messages from postmaster@microsoft.com via the virtua-fighter mailing list. Naturally, they panic and rush to unsubscribe from the list. Not knowing how to do that, they send an "unsubscribe" message to -- where else -- "virtua-fighter@netcom.com". Which sends a message to the user at Microsoft. So far we've had five attempts to unsubscribe. As I've been composing this mail, the frequency of new mail has increased to more than one message per minute. Oh no. There's a bad address at dartmouth.edu. It replied to the list too. I suppose I can hope that it won't reply to its own replies. But I'm sure that Microsoft will. And since the Dartmouth message is responding to a Microsoft "Failed Mail" message, that part of the loop is working just fine. Hmm, I just found out that our outgoing mail server isn't working, though our incoming one is working just fine. I love computers. One final postscript: I just received a message (two hours after the above portions were written) from the list maintainer -- the list is now dead. I also haven't received any new autoreply messages for an hour. Seems that the storm has passed. kevin_rainier@crd.lotus.com [If the RISKS experience is any indication, there are days on which I get 20 or 30 NEW bounces on addresses that worked the day before. One new bounce an hour would have added more to your enjoyment. PGN] ------------------------------ Date: Mon, 3 Jun 1996 23:37:12 +1000 (EST) From: Andrew Pam Subject: Risks of insufficient concept design I've just seen the announcement for a new Web server facility called SiteShield(tm) (see http://maximized.com/products/siteshield/) >From their marketing information: : SiteShield is an exciting new concept in Web content protection. : SiteShield permits content providers to place copyright-protected images : on web pages without the fear that they can easily be stolen and : re-used. Employing proprietary server-based technology, SiteShield : allows webmasters to simply indicate which images need protection. : Finally, webmasters can feel confident that the images they are placing : on web sites are being protected. What it appears to do is send an intentionally corrupted image if the Referer: header indicates that the page from which the image was referenced is not on the same site as the image itself. There are a number of problems with this concept, but the most glaring is that once the image has been displayed on the screen it can easily be captured and saved to a file, thus completely defeating the entire purpose of the product. The Xanadu solution is to transcopyright the images, granting prior permission for them to be referenced online providing a link back to the original site is maintained. THE RISKS? Well, apart from the obvious risk that the product may well fail since it can be so easily defeated, it probably also won't work with older browsers that don't return the Referer: header and is known to have problems (as you would expect) with caches. Andrew Pam, Coordinator, Xanadu Australia, Technical Editor, Glass Wings, Manager, Serious Cybernetics xanni@aus.xanadu.com +61 3 96511511 ------------------------------ Date: 03 Jun 96 18:08:45 EDT From: David Kennedy <76702.3557@CompuServe.COM> Subject: Election "Glitch" in Cape Town Courtesy of Reuters News via CompuServe's Executive News Service: Counting glitch delays final Cape Town result Reuters Financial Report 6/1/96 10:34 AM >> CAPE TOWN, June 1 (Reuter) - A computer error forced >>officials on Saturday to award South Africa's ANC an extra seat >>in Cape Town's first post-apartheid city election and the >>glitch will delay the final outcome until next week. >> Election officials said 2,000 ANC votes and one seat in the >>city's Tygerberg area, which includes the black township >>Khayelitsha where the party is strong, had wrongly been given >>to a tiny religious party. [...] >> Results were expected on Friday or shortly thereafter but >>the formula under which the council is elected -- a mix of ward >>seats and proportional representation -- will now have to be >>put through computers again. [...] [DMK: To see if the glitch is reproducible? The article is chiefly about SA politics, with no specific description of the "glitch" and actions to prevent it from reproducing.] >> ANC officials said they wanted a swift explanation from the >>chief election officer about what went wrong and would consider >>court action over the election results if he failed to respond. >> "If they could make that mistake in one ward, the chances >>are that other mistakes have been made elsewhere," Western Cape >>ANC leader Chris Nissen told Reuters. Dave Kennedy [CISSP] Information Security Analyst, National Computer Security Assoc. ------------------------------ Date: Fri, 17 May 1996 19:10:52 -0400 From: Jim Rees Subject: Roundoff error on Detroit Edison bills Detroit Edison's residential electric bill has a section titled "Energy Use Report." This section reports incorrect numbers due to improper integer roundoff. One of the fields gives the average daily energy use for the month in Kilowatt-hours, rounded to the nearest integer value. Another field gives the percent change against the same month for the previous year. The percent change is calculated using the rounded value for energy use. This can result in large errors. For example, my February 1996 use was 11.68 KWh/day, compared to 11.21 the previous year. After rounding this becomes 12 compared to 11, and the change is reported on the bill as 9 percent (12/11 - 1) instead of the correct 4 percent (11.68/11.21 - 1). I wrote to Detroit Edison about this. Their only response was an offer to "assist [you] in understanding how the percentage ... is calculated." Since I already know how it is calculated (incorrectly), I declined the offer. One RISK would be to assume that the entire bill is correct just because part of it (the billed amount) is subject to government regulation. ------------------------------ Date: 18 March 1996 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: ABRIDGED info on RISKS (comp.risks) The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. [...] DIRECT REQUESTS to (majordomo) with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] INFO [for unabridged version of RISKS information] CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, nonrepetitious, and without caveats on distribution. Diversity is welcome, but not personal attacks. [...] ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Particularly relevant contributions may be adapted for the RISKS sections of issues of ACM SIGSOFT Software Engineering Notes or SIGSAC Review. * Submissions: By submitting an item that is accepted for publication in RISKS, the author grants permission for unlimited public distribution and redistribution in electronic or other form. * Reuse: Blanket permission is hereby granted for reuse of all materials in RISKS, under the following conditions. All redistributed items must include the Risks-Forum masthead line. All reuse must be accompanied by the following statement: Reused without explicit authorization under blanket permission granted for all Risks-Forum Digest materials. The author(s), the RISKS moderator, and the ACM have no connection with this reuse. As a courtesy, reusers of individual items (as opposed to forwardings of entire issues) should notify the authors, and should pay particular attention to any subsequent corrections. RISKS ARCHIVES: "ftp ftp.sri.comlogin anonymous[YourNetAddress] cd risks or cwd risks, depending on your particular FTP. [...] [Back issues are in the subdirectory corresponding to the volume number.] Individual issues can be accessed using a URL of the form http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] ftp://ftp.sri.com/risks The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS PRIVACY: For info on the PRIVACY Forum Digest and Computer PRIVACY Digest, see the unabridged INFO file at RISKS-Request (send one-line message INFO to risks-request@CSL.sri.com as noted above). ------------------------------ End of RISKS-FORUM Digest 18.17 ************************